“Let’s Talk Compliance”: OIG’s General Compliance Program Guidance: How to Refresh Compliance Programs
Editor’s Note: PYA and Foley & Lardner hosted the 6th Annual “Let’s Talk Compliance” two-day Virtual Conference on January 18 and 19, 2024. Panelists included Foley & Lardner attorneys and PYA experts. The event was hosted by Foley partner, Jana Kolarik and PYA Tampa office managing principal, Angie Caldwell. Below are a few major takeaways from Session # 1. Please reach out to us if you have any questions.
The HHS Office of Inspector General (OIG) issued its 91-page General Compliance Program Guidance (GCPG) in November 2023. In January 2024, Foley partner and Co-chair of the firm’s Health Care Practice Group, Judy Waltz, and PYA principal, Shannon Sumner, addressed the implications of the GCPG – and how to refresh existing compliance programs in response to and alignment with the GCPG – in a session that was part of the 6th Annual “Let’s Talk Compliance” series. The recording and slides from this session (and other sessions that were part of the series) can be found here.
GCPG Themes. Waltz observed that themes from the GCPG include a focus on assessing and improving operational effectiveness of the compliance program in addition to maintaining the structural basics of the program (the traditional seven elements of compliance programs); a focus on the fluidity of compliance risks and a need to assess an organization’s potentially changing risk areas on a regular basis; increased expectations for the compliance committee; and a focus on personal accountability for entity compliance – including the accountability of compliance committee members, the board, and owners (potentially private equity).
GCPG Key Insights. Sumner summarized some of the GCPG’s key insights, including the intersection of compliance with quality oversight; delineation of the compliance roles of the compliance officer, compliance committee, counsel, and board; measures for assuring that training is successful (e.g., requiring participation as a condition of employment); and an evaluation of incentives for those within the organization who further the goals of compliance.
Action Items. Although OIG confirms that adherence to the GCPG is not mandatory, its suggestions are likely to become the standards against which the compliance programs will be measured. OIG has also promised that sector specific compliance guidance will be issued to supplement the GCPG (e.g., specific guidance for managed care programs or types of providers). In addition to comparison of existing program operations against the GCPG’s suggestions, two recommendations from the GCPG stand out for immediate consideration.
- Annual Internal Risk Assessments. While the GCPG largely incorporates earlier OIG guidance in its recommendations, the GCPG newly underscores the value of an annual internal risk assessment (a requirement of recent corporate integrity agreements). The GCPG recommends that the risk assessment be the responsibility of the compliance committee – rather than the compliance officer – reflecting its importance to the entity and the need for “buy-in” from the members of the committee (who are usually on the committee because they perform a key function within the organization). Specific external references for risk assessment design are included in the GCPG. Until sector specific compliance guidance is issued, OIG suggests some common areas of focus: billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians, other health care providers, vendors, and other potential sources of referrals or recipients of health care business. The identified entity-specific risks should then be used for the design of audit work plans or other compliance measures. Note that while the OIG-recommended risk assessments are internal, there is no preclusion of the use of external resources as needed (e.g., auditors or counsel). Entities may wish to address the possibility of outside resources in designing their risk assessment policy.
- Checking State-Specific Exclusion Lists. As with recent corporate integrity agreements that now require checks of state exclusion lists, the GCPG recommends that all organizations have a policy and procedure on the screening of employees, contractors, and other individuals and entities against the List of Excluded and Individuals/Entities (LEIE) and any applicable State Medicaid program exclusion lists. As noted in the presentation, states may have different names for their exclusion lists; in California, for e.g., the exclusion list is called the “Suspended and Ineligible List”. Compliance requires a check against the OIG’s web-site list AND each state’s list; individuals or entities may appear on one list and not the other. States may have additional penalties for employment or contracting with an individual/entity on their lists in addition to the potential federal civil monetary penalty (CMP).
- This topic produced the most questions from the audience. Below we provide some basic guidance (beyond that of the GCPG) and underscore the caveat that individuals and entities should check their own state laws to assure full compliance.
- Federal regulations, 42 C.F.R. § 1003.200(b)(4), reflect a CMP for arranging or contracting (by employment or otherwise) with an individual or entity that the person knows, or should know, is excluded from participation in the Federal health care programs (including Medicare and Medicaid). The current amount of the CMP is $24,164. The OIG’s Health Care Fraud Self-Disclosure Protocol (updated in 2021) includes a discussion as to how to disclose conduct involving excluded persons (individuals and entities), with a possible pre-determined and potentially lesser penalty for self-disclosure. See OIG’s Health Care Fraud Self-Disclosure Protocol.
- State-specific laws and lists are specific to that state’s federal health care programs. There may be state-specific CMPs for submitting claims to the state Medicaid program for items or services furnished by an excluded person or entity and/or a penalty for contracting with an excluded person or entity. The state laws and exclusion lists should be checked for each state where items or services are provided, the entity is enrolled in Medicaid, and/or Medicaid claims are submitted (including as an out-of-state provider). Other states’ lists might be checked in situations where, for e.g., the individual recently changed their state of residence, for purposes of background assessment.
- The Affordable Care Act, Section 6501, amended Social Security Act section 1902(a)(39) to set up a requirement that states shall terminate the individual or entity’s Medicaid enrollment when that individual or entity has “for cause” lost their enrollment in another state (in accordance with guidance from Centers for Medicare and Medicaid Services (CMS) as to what that means). See also: 42 C.F.R. § 445.416 (“Must deny enrollment or terminate the enrollment”). However, until such time as the other state(s) take an action to do so, the individual or entity’s enrollment in that state remains in place. OIG has noted challenges in implementation of section 1902(a)(39)’s collateral termination provision, including confusion as to when a state is obligated to take action. See e.g., OEI-06-12-00030 (Aug. 2015).
- With respect to Medicare managed care, CMS provides a “Preclusion List” to Medicare Advantage (MA) plans and Part D plans that precludes payments to individuals or entities included on the list. A preclusion is not the same as an exclusion imposed by the OIG or a termination by a particular state. Moreover, only the MA and Part D plans have access to the preclusion list (meaning that providers and suppliers are not expected to check it). The preclusion list is not applicable to Medicaid. See generally, https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/MedicareProviderSupEnroll/Downloads/Preclusion_List_FAQs.pdf
- Enforcement Activities. Waltz and Sumner also discussed recent court cases/settlements that provide examples of risk areas that might be considered for upcoming risk assessments. These included cases involving allegedly improper physician compensation agreements (resulting in a settlement of $345 million); a settlement in which the compliance officer was the relator in a qui tam action involving clinical support services provided by a hospital system that were then billed by a physician group; primary care physicians who were alleged to have submitted unsupported diagnoses to MA plans, causing the plans to submit false claims; and criminal charges relating to a telemedicine marketing structure and involving a “look behind” of signed physician orders to assess the physician-patient relationship.
- This topic produced the most questions from the audience. Below we provide some basic guidance (beyond that of the GCPG) and underscore the caveat that individuals and entities should check their own state laws to assure full compliance.
What to do next? As noted, adopting the recommendations in the GCPG is not mandatory. However, the GCPG provides opportunities for a fresh look at existing compliance programs, and guidance in developing new programs. For example, the OIG’s detailed discussion of the compliance officer role, recommendations for keeping that role free of other conflicting roles and ensuring that the compliance officer has a reporting relationship with the board/executive team may provide structural guidance to improve program effectiveness. Compliance programs may also wish to revisit the role of the compliance committee and the introduction of the concept of performance evaluations and compensation that takes into account that committee role, with consideration of the GCPG’s views. And, as noted above, the entity may also wish to consider a review of its internal risk assessment approach and its monitoring of state exclusion lists.
[View source.]